The Joomla! Project today announced the immediate release of Joomla! 1.0.14 RC1 [Daybreak], the first and hopefully singular release candidate for the 1.0.14 release cycle. Several security issues have been discovered and addressed for this release. While the required changes are not significant, the number of impacted files are significant and we need your help. Before this release is declared stable we need to ensure that it works as well for you as it does for us.
Those of you that are able and willing please download a copy of 1.0.14 RC1 and test it on a backup copy of your live site. Make sure that the system works as good or better than Joomla! 1.0.13, our current stable release. Any issues that you find please report in the 1.0.x Bug Tracker. If you have questions on how to report a bug you should read the how-to and then if you still have questions please feel free to ask them in our 1.0.x Quality and Testing forum.
Since this release fixes security vulnerabilities, once you have verified on a backup of your site that everything works as expected we suggest that you upgrade your live site to this release.
RELEASE NOTESJoomla! 1.0.14 RC1 is a release candidate that addresses several security issues that have been discovered since our last stable release, Joomla! 1.0.13 . It is regarded as a mostly stable release and after adequate testing on a backup or sandbox version of your live site you should upgrade your live site to 1.0.14 RC1. As soon as we are comfortable that the required security changes for this release have not broken any functionality from version 1.0.13 we will package and release a 1.0.14 Stable release.
Along with the security fixes listed below there were several other issues fixed in this release. Ranging from fixing administrator session log out problems to media manager, pagination and web links all the way to improper search word highlighting in the search component this release looks to be our most secure and stable one yet.
- SECURITY [LOW] Fixed XSS issue in com_search
- SECURITY [LOW] Fixed XSS issue in search results pages
- SECURITY [LOW] Fixed multiple typos in back end com_content making array integer check ineffective
- SECURITY [HIGH] Fixed CSRF issue allowing portal compromise - Administrator components.
Evolving upgrade instructions and documentation can be found on our shiny new documentation wiki at http://docs.joomla.org/Upgrade_Instructions .
Please note that if you are installing 1.0.14 RC1 using one of the full package files you will need to manually remove the /installation directory after installation has been completed. As this is a Release Candidate it does not include the test which would force you to remove this directory. The patch packages do not include an /installation directory.
Upgrading your site to 1.0.14 RC1 from any version of Joomla! 1.0.x first requires that you choose the correct patch package. For example, if you currently have version 1.0.13 installed you will need the 1.0.13 to 1.0.14 RC1 patch package.
NOTE: Patch packages for 1.0.14 RC1 only exist going back to Joomla! version 1.0.12. If you need to upgrade from an earlier version you will need to first upgrade to 1.0.13 then upgrade to 1.0.14 RC1
Once you have downloaded the correct package you need to overwrite the files on the Joomla! site you are upgrading with the files in the patch package. This can be done by either uncompressing the Patch Package and then using an FTP client to transfer these files to your server and overwriting existing file, or if your Web Provider gives you access to your site via some sort of Web Admin panel like CPanel or Plesk, you can use the systems file manager to upload the Patch Package file to your server and then extracting the package file and overwriting all the files on your server.
If you find errors after the process, ensure that all files were properly transferred. There have been verified reports of some FTP clients not properly transferring files across to a server - without notifying the user of such a problem. One possible cause is that under certain circumstances the web server locks the files it is using, and the ftp-server can't update those files. One possibility is to take the site shortly offline during the FTP transfer.
If you have questions about any part of this process you will get the best answers and support from fellow Joomla! users in the upgrading forum. Make sure you search to see if someone else has had the issue and found a solution that works for you. If not then feel free to post your question so someone can help.